Microsoft Says Secret Data Requests Are Now The Norm, Sues U.S. Government

Microsoft filed a lawsuit in a federal court against the U.S. government over its expanding use of gag orders for data requests. The company said that almost half of the data requests are secret, with more than two thirds of the gag orders having no time limit for expiration, meaning the users would never be notified about them.

Microsoft, which is now a major cloud services provider, has become increasingly worried at how many of the data requests from the U.S. government are accompanied by gag orders. Once a gag order is served, the company can no longer notify its users about the warrants it received for their data.

The company believes that the U.S. government is using the increasing popularity of cloud services as a way to skirt around the Fourth Amendment, which gives people the right to know when the government searches or seizes their property. Microsoft also believes that these gag orders violate the First Amendment, which guarantees the company the right to talk to its customers.

Evolution Of Data Storage (And The Degradation Of Privacy Rights)

In the past, individuals and businesses would keep their information in documents stored in file cabinets and desk drawers on local premises. That data then transitioned to being stored on local computers and servers, but it remained within a user’s physical possession and control. In both of those eras, the government had to notify the user or the company when it needed access to that data, and then it would serve them a warrant.

Now, more and more personal data is stored in the “cloud,” or on other companies’ servers, because that’s how the world evolved to allow people access to their data from wherever they may be. However, Microsoft believes that people still have the same expectations of privacy, even if the government can technically now take that data whenever it wishes, without notifying its customers.

Microsoft also said that businesses that are its cloud customers routinely tell it that they want to be notified about government requests so that their own lawyers can take a look at the legal requests and then decide whether or not they have to turn over the data.

Microsoft has argued before that law enforcement everywhere, including in the European Union, should go directly to its enterprise customers to obtain their data. However, the company is only now making the argument that individuals should be notified, as well.

As discussed in a previous post about the new Email Privacy Act (EPA), it shouldn’t matter that it’s now easier for governments to avoid telling individuals when their data is requested, just because that data is stored somewhere else.

That data is theirs and therefore they should be notified when the government has access to it. However, the Email Privacy Act has so far made the compromise to remove the initial rule that would’ve required the government to give notice to users. That may still change if Microsoft wins this lawsuit by the time the bill reaches the Senate, where it could be amended.

Microsoft’s Solution

Microsoft hopes that regardless of how the lawsuit continues, the Department of Justice should immediately issue a new policy that restricts these out-of-control gag orders from law enforcement.

If that doesn’t happen, then the company wishes Congress would amend the Electronic Communications Protection Act (likely through the new EPA reform) to require government notice for warrants. Microsoft also said that the current ECPA allows the government to issue more secret orders than it would be able to serve under other laws.

If Congress amends the law, then the company hopes it follows three principles:

-Transparency: People have the right to know when the company storing their information has been sent a legal request for their data. The companies themselves should also have the right to tell their customers when a request was served.

-Digital neutrality: Customers should benefit from the same type of privacy protections in the online world as they do in the offline world.

-Necessity: Secrecy orders should be adapted to only what’s necessary for an investigation. If there’s a good reason for the secrecy to continue, then that order could be extended based on necessity.

Microsoft’s Lawsuits Against U.S. Government

Microsoft also noted that although this is the fourth lawsuit it has filed against the U.S. government to protect its customers’ privacy, it hasn’t taken this action lightly, and it has only done so when it considered the government's requests to be out-of-bounds.

In the first lawsuit, Microsoft settled with the U.S. government, allowing the company to disclose how many data requests it receives. The second one was because of a government-issued National Security Letter, which the government ended up withdrawing. The U.S. government has a tendency to withdraw its NSLs when challenged, likely there's a potential issue of unconstitutionality. It would prefer to lose a case by withdrawing an NSL, but continue to issue NSLs to other companies or individuals unwilling to challenge them in Court.

The third lawsuit is the one where Microsoft challenged a U.S. search warrant for an email of a customer from Ireland. This lawsuit is still pending in the U.S. Court of Appeals for the Second Circuit.

Microsoft filed this fourth one in the U.S. District Court for the Western District of Washington.

Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.